1. CRYP-F02
Actively Secure 1-out-of-N OT Extension with Application to Private Set Intersection
Peter Scholl (University of Bristol)
Michele Orrù (ENS Paris)
Emmanuela Orsini (University of Bristol)

2. 1-out-of-2 Oblivious Transfer
1-2 OT
b ϵ {0,1}
x0,x1 ϵ {0,1}k xb

3. 1-out-of-n Oblivious Transfer
1-2 OT
b ϵ {0, ..., n-1}
x0, ..., xn-1
ϵ {0,1}k xb

4. Motivation for Oblivious Transfer
Secure 2-party and multi-party computation
Auctions
Genome analysis
Private set intersection
Privacy-preserving contact discovery
No-fly lists
All these need a lot of OTs

5. OT requires public-key primitives, so is inherently expensive
Obf. >> FHE >> PKE >> SKE >> OTP
Less efficient
More efficient

6. OT extension creates many OTs from just a few, at very low cost
k seed OTs
m OTs
Symmetric crypto
k=128
m = 1 billion

7. Warm-up: OT on long strings is easy
b ϵ {0,1}
k0,k1 kb
Enc(k0,m0), Enc(k1,m1)
Recover mb with kb
First transfer a key
Then encrypt long messages under the keys

8. [IKNP03] OT extension: “Turn your head”

9. IKNP: a few OTs on long strings  many OTs on short strings, with sender/receiver reversed
1 x
1-2 OT = x x +
x + c . b c

10. Sender’s strings are correlated by c
IKNP: a few OTs on long strings  many OTs on short strings, with sender/receiver reversed Y m k
k x
1-2 OT X = k X k +
X + C b1 c k . .
Sender’s strings are correlated by c . bk c m

11. IKNP: a few OTs on long strings  many OTs on short strings, with sender/receiver reversed= X k + b1 c . . . bk c m

12. IKNP: a few OTs on long strings  many OTs on short strings, with sender/receiver reversed= X Y X k = + . . . m c c + b1 c . . . k k b1 bk bk c m

13. IKNP: a few OTs on long strings  many OTs on short strings, with sender/receiver reversed= X X Y k = + . . . m c c + b1 c . . . k k b1 bk bk c m

14. IKNP: a few OTs on long strings  many OTs on short strings, with sender/receiver reversed= c1 b X k . X = + . Y . m + b1 c cm b . . . k bk c m

15. 1-out-of-n OT extension, with active security

16. [KK13] gives you passive security
Replace IKNP correlation: c C
... . c1 cm . .
with = c
ci = Encode(xi), with error-correcting code
Sender has an XOR share of each row of C
Active adversary: how to guarantee correct encodings?

17. New consistency check for the receiver’s codewords
Sender sends challenge: Receiver opens both shares of: Sender checks each column is a codeword k m R . C

18. Intuition behind the consistency check
Takes k random linear combinations of C over F2
Except with prob. 2-k, receiver gets challenged on every codeword
ECC must be a linear code and have a high minimum distance R k . C m
Inspired by [FJNT16]

19. Implementation of actively secure 1-out-of-n OT
800 lines of C
Tested over LAN and WAN
Intel AVX for matrix operations and BLAKE2 for hashing
It’s practical

20. Very low overhead vs passive security

21. Faster private set intersection with our 1-out-of-n OT

22. Blueprint for OT-based private set intersection
Random
1-out-of-n OT
From [PSZ14,PSSZ15]
Private set inclusion
Private set intersection

23. Private set inclusion from 1-out-of-n OT
1-out-of-n OT on random strings => private set inclusion on elements of {1, ..., n}
Previous works: several OTs for 1 PS inclusion on long strings
Observation: our 1-out-of-n random OT works for n = O(2k)
Only need one OT for each PS inc.
Needs new OT definition + security proof

24. Conclusion 1-out-of-n OT extension is very cheap Open problems:
With active security
Even for very large n (on random strings)
Around 3x improvement to PSI
Open problems:
Fast, actively secure PSI
Fast 1-out-of-2 OT on bits with O(1) communication

25. Thank you! Full paper: http://ia.cr/2016/933
Code:

26. Low-Leakage Secure Search for Boolean Expressions
CRYP-F02
Low-Leakage Secure Search for Boolean Expressions
Fernando Krell (Dreamlab Technologies)
Gabriela Ciocarlie (SRI International)
Ashish Gehani (SRI International)
Mariana Raykova (Yale University)

27. Searchable Encryption
Server
Data Owner
Setup
Enc(D), Enc(Index(D))
Search
Enc(query)
Enc(result)
Output results
Solution 1: Retrieve all documents and compute query locally
Solution 2: Build secure index for efficient search
Issue: Search pattern and access pattern leakage 27

28. Delegated Queries 1. Enc(D), Enc(Index) 3. Query token
2. Access params
4 .Encrypted Results
5. Decryption keys
Solutions:
OSPIR-OXT (CCS’13)
Blind Seer (S&P’14 ’15)
IKLO (CT-RSA’16) 28

29. This work: Remove leakage to server for delegated queries.
Leakage allows for efficiency
What does this leakage means in practice?
Attacks:
IKM NDSS’12
LZWT Inf. Sci. ‘14
CGPR CCS ’15
KKNO CCS ’16
This work: Remove leakage to server for delegated queries. 29

30. ORAM Oblivious Random Access Machines GO J. ACM ‘96
Outsource memory to server
Hide access patterns
Polylog overhead for access
Polynomial space 30

31. 𝐹 Other Tools 𝑠 𝐹 𝑠 (𝑥) 𝑥 Set representation via Bloom Filters
Bit array
Hash functions
Set bits pointed by hash of elements
Oblivious PRF 𝑥 𝑠 𝐹
𝐹 𝑠 (𝑥) 31

32. Construction Sketch Secure Index outsourced to server in ORAM
Give index key 𝑠 to server and ORAM access params to client
Encrypted index bits are retrieved by client
Client and server perform secure computation to evaluate encrypted index bits against query
What to we gain?
Server doesn’t learn any access pattern
Client doesn’t learn partial value of index bits 32

33. The Index Use Blind-Seer index:
Search tree: nodes store searchable keywords of subtree
Leaves point to records.
Nodes: Bloom filters.
In Blind Seer, BF are One-time padded.
Use of 2PC to remove pad and evaluate formula.
Result is leaked to both client and server. 33

34. Our Approach Store Bloom filter tree in ORAM Remove leakage to server.
Give access parameters to client
Avoid performing secure computation on all ORAM retrieved elements.
Encode bloom filter bits such that
Client doesn’t learn bits or partial query evaluation.
Client only learns result of evaluation 34

35. Oblivious Bloom Filter Evaluation
Bit encoding: 𝑏→ 𝑏 =(𝑔 𝑏 × 𝐹 𝑠 𝑟 ,𝑟)
BF eval: client has 𝑏 1 , 𝑏 2 ,…, 𝑏 h , server has secret 𝑠
Obtain ∏ 𝐹 𝑠 𝑟 𝑖
Compute 𝑔 ∑ 𝑏 𝑖
Compare against 𝑔 ℎ
Issues:
Client can compare values of different evaluations.
Solution: client gets masked PRF value ∏ 𝐹 𝑠 𝑟 𝑖 ×𝑅
Client can compute 𝑔 ∑ 𝑏 𝑖 × 𝑔 𝑗 , and learn ∑ 𝑏 𝑖 exactly
Solution: Hide generator 𝑔 from client. 35

36. Bloom filter Evaluation Protocol
𝑖= 𝐻 𝑗 𝑞𝑢𝑒𝑟𝑦 𝑗∈[ℎ]}
ORAM Lookups for BF bits
{ 𝑏 𝑖 =〈 𝑔 𝑏 𝑖 × 𝐹 𝑠 ( 𝑟 𝑖 ), 𝑟 𝑖 〉} 𝑠
𝑟 1 , 𝑟 2 , …,𝑟 ℎ
Masked OPRF 𝑅
∏ 𝐹 𝑠 𝑟 𝑖 × 𝑅 −1
𝑔 ∑ 𝑏 𝑖 ×𝑅
Comparison
𝑔 ℎ ×𝑅
Yes/No 36

37. Oblivious PRF Hashed DH PRF Multiplicative Masked OPRF 𝑟 𝑋=𝐻 𝑟 𝛼 𝑠
𝑋=𝐻 𝑟 𝛼 𝑠
𝑌= 𝑋 𝑠
F 𝑠 𝑟 =𝐻 𝑟 𝑠
Output 𝑌 𝛼 −1
Multiplicative Masked OPRF
{ 𝑟 1 , 𝑟 2 ,…, 𝑟 ℎ } 𝑠
W= 𝑔 𝛽
𝑋= 𝑊⋅∏𝐻 𝑟 𝑖 𝛼
𝑌= 𝑋 𝑠
∏ F 𝑠 𝑟 𝑖 ⋅ R −1 =∏𝐻 𝑟 𝑖 𝑠 ⋅ 𝑔 𝛽⋅𝑠
𝑅=𝑔 −𝛽×𝑠
Output 𝑌 𝛼 −1 37

38. Boolean Formulas Conjunctions: Trivial
Single term queries are conjunctions over BF bits
Just add ORAM lookups for each term
Evaluate as single term case
Disjunctions: 𝑞= 𝐶 1 ∨ 𝐶 2 ∨…∨ 𝐶 |𝑞|
Use set of possible matching values
|𝑞| terms ⇒≈ ℎ 𝑞 possible values
Idea: client obtains
𝑔 ∑ 𝑏 𝑖 ⋅ 𝑅 1 𝐿_1 ⋅ 𝑔 ∑ 𝑏 𝑗 ⋅ 𝑅 2 𝐿 2 ⋅…⋅ 𝑔 ∑ 𝑏 𝑘 ⋅ 𝑅 |𝑞| 𝐿 𝑞 ) 38

39. Empirical Results 1/2 39

40. Empirical Results 2/2 40

41. Conclusion Security: Removed all important leakage to server.
Functionality: Support for small DNF formulas.
Efficiency: Seconds per record.
Introduced protocol for Oblivious bloom filter evaluation via oblivious PRFs 41

42. Directions for future work
Protect index access pattern leakage to client.
Index space is x 10^3 of plaintext solution.
Improve efficiency for complex Boolean formulas.
Use circuit approach (e.g. YAO’s GC).
Use of specially designed ORAMs to store index (Oblivious data structures WNLCSSH CCS ’14, KS ASIACRYPT ‘14).
Include robust access control for queries. 42